Welcome Guest [Log In] [Register]
Welcome to Sector 4. We hope you enjoy your visit.


You're currently viewing our forum as a guest. This means you are limited to certain areas of the board and there are some features you can't use. If you join our community, you'll be able to access member-only sections, and use many member-only features such as customizing your profile, sending personal messages, and voting in polls. Registration is simple, fast, and completely free.


Join our community!


If you're already a member please log in to your account to access all of our features:

Username:   Password:
Add Reply
WEP Cracking (Backtrack 3); How to test your own network...
Topic Started: May 22 2009, 01:20 PM (94 Views)
xdemo
Member Avatar
Kurikinton Fox rox my sox!
[ *  * ]
Backtrack 3: How to test your own network for weak passwords

**PLEASE NOTE LACK OF PICTURES, CURRENTLY BEING WORKED ON**

Assuming you have the Backtrack 3 OS, Live CD or HDD installed, it will not matter. Because Backtrack 4 is still in the beta stages of development this guide may possibly not work. So it is recommended that you use Backtrack 3 to perform this test.

Before you perform this penetration test, please read....

The Sector 4 team are not responsible for any activity's you pull of with this tutorial. Any malicious/illegal activity that you do, falls completely on your own behalf. This is for you to test the security of your own network or a network you have been given permission to test.

Keyword: IV

WEP Initialization Vector's (WEP IV'S): WEP IV's are a form of response packets sent over an airspace of a wireless network, to authenticate client -> server. However Many WEP IV's can be specially crafted + reconstructed into one file, which may possibly contain the full password in HEX or ASCII Value.


1. Preparing the victim network for attack
Once BT3 has booted , load up a new Konsole. Now we must adjust your wireless card settings temporarily.

Type:
Code:
 
airmon-ng

You will see the wireless cards name. (wlan0/ath0 or similar) From here on, replace "wlan0" with the name of your card.

The following bash commands must be entered in the following order:

Type:
Code:
 
airmon-ng stop wlan0

Code:
 
ifconfig wlan0 down

Code:
 
macchanger --mac 00:11:22:33:44:55 wlan0

Code:
 
airmon-ng start wlan0


What you have just done, is temporarily disabled your wireless chipset, and assigned a fake/spoofed mac address. This precaution is used JUST IN CASE your computer is discovered by someone as you are breaking in, they will not see your REAL mac address.

Type:
Code:
 
airodump-ng wlan0


You should see a list of wireless networks starting to appear. Some will have a better signal than others and it's a good idea to pick one that has a decent signal otherwise it will take forever to crack.
Once you see the network that you want to crack, do this:

  • Press Ctrl + C
This will stop airodump-ng from populating new networks and will pause the Konsole window so that you can extract the information you will need.

2. Gathering Information
Now find the network that you want to crack and make sure the encryption for that network is WEP. Take note of its channel number and bssid. The bssid will look something like the mac address you changed your card to in the previous step. Also make note of the channel number (ch).

In the same Konsole window you just ran airodump within, type:

Code:
 
airodump-ng -c <channel> -w <file name> --bssid <bssid> wlan0

For example, if want to gather packets from... 00:11:22:aa:bb:cc
i would type: airodump-ng -c 6 -w wepkey --bssid 00:11:22:aa:bb:cc wlan0

File Name: can be anything. It's simply the place that airodump is going to store the WEP/IV's that you will crack later. So it is advised to call it "wep" or similar, something memorable.

**Warning: if you attempt to crack more than one network in the same session, you must have different file names for each one or it won't work. wep1, wep2, wep3 etc.

You will see a heading marked "IV" with a number underneath it. This stands for "Initialization Vector". Once you gain at least 5,000 of these IV's, it is possible to crack the password. Anything from 5000-60,000 is plausible, whereas some networks have known to take over 250k unique WEP IV's in order to crack.

Two main factors to realize while gathering IV's

  • Depends on how long or difficult they made the password.
  • Depending on the current network traffic, you may receive more/less packets in conjunction to the current data flow.
3. Injecting ARP requests and gathering WEP IV's
Now leave this Konsole window up and running while it captures packets from your selected network. Open up a 2nd Konsole window.

Code:
 
aireplay-ng -1 0 -a <bssid> -h 00:11:22:33:44:55 wlan0

Tip: you must change "<bssid>" to the correct bssid of the network you are currently capturing IV's from.

This will send fake beacons across the airspace to associate your computer with the network even though you are not officially connected. If this command is successful, you should see the text "Association Successful :-)"

Now type:
Code:
 
aireplay-ng -3 -b <bssid> -h 00:11:22:33:44:55 wlan0


You will see your computer gathering packets and waiting on ARP and ACK requests. Now sit back and relax.

Once your computer finally gathers an ARP request, it will send it back to the router and begin to generate ARP and ACK packets. Sometimes this will happen almost immediately. Sometimes you have to wait a few minutes. When it finally does happen, switch back to your first Konsole window and you should see the amount of captured IV's starting to rise. When you obtain roughly 5,000-6,000 you can start your password crack. Bear in mind, It will probably take a lot more captured WEP IV's to successfully crack the password.

4. Cracking the Password
Load up another Konsole window. This will be where we actually crack the password. Type:

Code:
 
aircrack-ng -b <bssid> <filename>-01.cap


Replace the bssid with the networks, and remember the name of your file you chose to save as from earlier. (i.e if you called your file wep, type in "wep-01.cap")

You should see aircrack-ng begin to crack the password. From here onwards the process is automated. If something like "not enough IV's. Retry at 10,000." DON'T exit anything, It will continue running, but is letting you know that it is on standby until more IV's are gathered. Once you pass the 10,000 mark it will automatically run again and try to crack it. If this fails it will say "not enough IV's. Retry at 15,000." etc until aircrack-ng finally gets it.

5. Examining the results
Not too long until aircrack-ng will crack the password. If you password obtained, is not the same as the one you set on your network, in most cases it will still be useful. Sometimes passwords are saved as ASCII or HEX. It doesn't matter either way, because you can type in either one and it will connect you to the network.

A simple reminder:
Every password cracked will be displayed in blocks.
For example if the networks password was "topsecret1", if cracked by aircrack-ng, it will be displayed locally as either:

ASCII format: "to:ps:ec:re:t1"
HEX format: "74:6F:70:73:65:63:72:65:74:31"

Just remove the colons from the cracked password, boot back into your primary OS, click connect to a network, when prompted for a password enter your hex/ascii value.

Congratulationz! You are in!

I will gladly answer any legitimate questions anyone has to the best of my knowledge. Please try to Google, or search any existing threads before asking however.
Offline Profile Quote Post Goto Top
 
« Previous Topic · Backtrack · Next Topic »
Add Reply